On Tue, Dec 18, 2018 at 11:13 PM Richard Hipp <d...@sqlite.org> wrote:
> On 12/18/18, Dominique Devienne <ddevie...@gmail.com> wrote: > > https://blade.tencent.com/magellan/index_en.html > > > > Sounds to me it's more related to a "remote callable" program like > Chrome, > > than SQLite proper, but I'd like an official stance on SQLite itself > please. > > There was a bug in FTS3 (not in the SQLite core) that allowed an SQL > Injection to escalate into a Remote Code Execution (RCE). Thanks. Good to know. Understanding how it happened is as important as knowing this is fixed in SQLite already (in due time of course, when it's "safe" to share information). Much appreciated. > By making malicious changes to the shadow tables that FTS3 uses and then > running > FTS3 queries that used those tables, an integer overflow could cause a > buffer overrun, which if carefully managed might lead to an RCE. [... more details] We are hard at work on additional defense-in-depth measures now. > Could there be a way to make shadow tables off-limit to arbitrary SQL? By explicitly taking them as such, and creating them with a "secret" associated to them, so that preparing a statement against them also needs that "secret"? The goal being to restrict access to those tables to only the vtable-related code that is the "front-end" to those shadow tables. Only that code should have direct access to those tables, at least on the write-side of them. I understand that they are persistent, so what would be relatively "easy" to do at runtime for the connection, becomes harder w/o changing the file-format or introducing new sqlite_... reserved tables older versions of SQLite would ignore. I hope you can think of ways to persist more meta-data about tables in general, be it that FKs should be enforced by default on them when new connections are created by them, or to persist the fact a table is a shadow tables associated to a given virtual-table module, such that only that module (somehow) can write them. My $0.02. --DD _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
